In order to shut the Internet down, anonymous claimed that putting-down the
13 root DNS servers of the Internet and therefore disabling the HTTP Internet, the most widely used function of the Web, would do the job. Those servers are as follow:

Is there 13 root D.N.S servers, or it's all just a lie, and if this assumption is true, can anyone really bring these servers down ?
personally I think the reality is they are comprised of networks of multiple servers that handle the millions of DNS queries the root servers receive every hour, so its impossible to do such a thing, as shutting down the internet as we know it.

HTTP does not require DNS. Most uses of HTTP probably use DNS, so such an attack would disrupt most services on the internet, but as mentioned by other posts, there are countermeasures (caches for one).
–
rox0rSep 10 '12 at 2:05

Well someone brought down godaddy's DNS today causing a massive headache for anyone who didn't get around to migrating all their domains away from them. Not nearly as impressive as bringing down all root DNS servers, but someone managed to DoS a good chunk of internet traffic and inconvenience a good number of sysadmins.
–
dr jimbobSep 10 '12 at 20:30

The root DNS servers aren't actually hit that often, as a normal internet user, you have probably never hit any of the root servers with a lookup. This is really the whole point of DNS - distribution.
–
lynksDec 7 '12 at 20:42

4 Answers
4

There are 13 top-level server designations, but there are significantly more than 13 servers, since most of them are multi-homed. Taking down all of them at the same time would be extraordinarily difficult.

Furthermore, the only information you need to get from the root servers is the location of the TLD servers, of which there's only a few hundred. Any resolving DNS server will already have this information cached, so you have to keep all of these server down for the entire period during which the root data is cached, which is typically 2 days.

During this time, people would notice and take countermeasures to prevent caches from expiring.

Altogether it's a tall order at best, and in all reality just a tough-talking pipe dream.

There are 13 root name server addresses, each corresponding to a separate root name server system. The name server systems are not single machines - rather a collection of physical servers connected together as a distributed system. Each collection of servers is geographically distributed (a technique known as multihoming) such that a natural disaster is unlikely to affect the rest of the systems. In total, there are around 328 distributed servers directly involved.

Each distributed network that represents a root name server is addressable by a single IP address, i.e. one of the root IPs you named. This is possible through a technology called anycast, which causes traffic sent to a root name server IP to be routed to any available participating server.

Only three root name servers (B, D and H) do not use anycast.

The reason anycast is useful in DDoS scenarios is that it allows a single system to distribute traffic across multiple machines, connected via high-speed networks. This essentially acts as a way to split the DDoS into smaller chunks, where they can be dealt with more easily.

There have been two major DDoS attacks against the root name servers. The first was in 2002, where a one-hour attack caused significant problems. Following this, more root name servers moved to anycast. In 2007, a 24-hour attack caused serious problems with two name servers, and some performance issues on another two. The scale of the attack was huge, but the result was negligible for end-users.

All in all, the likelihood of anyone performing an effective attack against such a highly distributed and carefully monitored system is minimal. When combined with traditional DDoS mitigation techniques such as black-holing, anycast effectively negates flooding attacks. Since the systems are so highly distributed, physical attacks against server sites would be infeasible too.

Hmm, why would it be unfeasible to do a physical attack? I think if you take down the majority, DDoS is already going to be a lot easier: there are less targets, and they have more load. It might be kind of useless, but I don't see how it's impossible for an organisation to bomb 70 datacenters.
–
LucSep 10 '12 at 10:35

3

@Luc The datacenters are globally distributed, across a huge number of nation states. Bombing them would require going to war with 50%+ of the entire world. Whilst there is a technical potential for such a bombing operation, the political ramifications would be bizarre and immense. At that point, functional DNS root servers would be so far down the list of civilization's worries that I don't think it's even worth entertaining.
–
PolynomialSep 10 '12 at 10:41

2

Wonder how much of it is hosted at amazon.
–
droopeSep 13 '12 at 21:25

Committing a global blackout is possible only with a well coordinated terrorist plan. If they know the location of every major data-centers in the world including all the root server's location and bomb it, it will spread chaos and business catastrophe. Even the most well planned risk management and BCP methodologies wouldn't make business to continue that same day. After all, the life of each one would always matter than any business that's at stake.

This is the very reason why information and national security is important, to protect life and business from these threats.

-1. There's no technical analysis here. The first two sentences are inaccurate, and the rest is just FUD. The bombing scenario is highly unlikely, due to the distribution of servers across dozens of countries.
–
PolynomialSep 13 '12 at 9:14

I'm making a statement and people should learn to analyze the statement first before looking for a technical analysis. -- Committing a global blackout is possible {"only"} with a well coordinated terrorist plan... -
–
John SantosSep 14 '12 at 2:31

This site isn't for political statements or conjecture. It's a Q&A site where we expect objective and well-sourced answers.
–
PolynomialSep 14 '12 at 6:15

Oh come on, my statement is not political. Think out of the box! I am speaking of a "probability" of a well coordinated attack, and the very reason why people are down voting this opinion is because they have been agitated by this radical way of thinking, and that emotional feeling to down vote was also the same feeling that makes people vulnerable. There's no need to ran down a technical diagram of how anycast works. In security you don't stand at one side, stand in the middle. It's basically a matter of finding the right balance on a couple of different axises.
–
John SantosSep 14 '12 at 10:08